WSUS - Not Seeing Patches Yet this Month

Discussion in 'Windows Small Business Server' started by Neil Hoskins, Aug 10, 2006.

  1. Neil Hoskins

    Neil Hoskins Guest

    Is it me? Patches have been out for a few days but nothing is showing up on
    WSUS. Oddly though, my test machine, which is set to automatically detect
    and install, detected and installed just fine a couple of days ago. How
    come I'm not being offered the patches for approval for the other machines?
     
    Neil Hoskins, Aug 10, 2006
    #1
    1. Advertisements

  2. Neil Hoskins

    Guest Guest

    I have them all on a number of machines so I don't know what could be wrong.
     
    Guest, Aug 10, 2006
    #2
    1. Advertisements

  3. Try running a manual sync and see if it succeeds.

    Go to the Updates page and look for the August updates - depending on your
    auto-approval settings, it's possible that the updates simply downloaded and
    approved themselves.
     
    Dave Nickason [SBS MVP], Aug 10, 2006
    #3
  4. Neil Hoskins

    Neil Hoskins Guest

    Tried that about a hundred times. Says it's synchronised OK.
    If I view updates in the last week, approval status is "installed" on the
    test machine that is set for automatic approval, and "unknown" for all the
    other machines.

    One thing is bothering me, in the automatic approval settings, should "all
    machines" be set to automatically "approve for detection"? Intuitively, I'd
    interpret this to mean that all machines detect updates but don't install
    them (which I don't want them to do until I've tested them); but maybe this
    needs to be set for WSUS to detect which machines need what?
     
    Neil Hoskins, Aug 10, 2006
    #4
  5. So it sounds like you're seeing the expected behavior. The updates are
    downloaded, and the critical and security ones probably approved themselves.
    You can check this by going to the Updates page, viewing updates with any
    approval synchronized in the last week, and seeing what the approval level
    is.

    All that "approve for detection" does is to let WSUS see which computers
    would need the update if you approved it. In other words, in the WSUS
    console, that update would show as Needed for each PC that called for the
    patch. It does not do anything as far as installing it or anything - you
    can't tell the status from the workstation, only from the WSUS console.

    But right below that setting is the "automatically approve" section, where
    IIRC by default all critical and security updates are approved
    automatically. In that case, all critical and security updates would be
    applied to the workstations according to their AU settings as controlled by
    group policy. Almost (but not all) of this month's updates were critical or
    security.
     
    Dave Nickason [SBS MVP], Aug 10, 2006
    #5
  6. Neil Hoskins

    Neil Hoskins Guest

    Last night I changed the "automatically approve for detection" setting from
    just the test machine to all machines. This morning I have, waiting for
    approval, a few Defender definition updates, and August's malicious software
    removal tool, but all are marked as having been superseded and recommended
    to be declined. The security updates still don't appear.

    I checked a couple of workstations using Microsoft Update and they have not
    been installing updates automatically without me approving them. So the
    automatic approval settings are behaving as expected.
    In that setting, only the test machine is set to automatically approve for
    installation.


    I really don't think the damned thing's working correctly. As we only have
    around fifteen users and a decent broadband connection, I think I'll ditch
    it and have workstations update automatically from Microsoft Update. This
    probably means I'll take a hit on bandwidth but with the small number of
    users I've got that shouldn't be too severe. Plus I'll save acres of disk
    space on the server and have peace of mind.
     
    Neil Hoskins, Aug 11, 2006
    #6
  7. I wish I had a clearer understanding of what you're seeing. If WSUS is not
    working as you intend, I would suspect it to be a setting rather than an
    actual bug, since WSUS has been around for a while without much in the way
    of approval or detection issues being reported.

    What you're missing by abandoning MU is the ability to see, from one screen,
    that all of the client PCs and servers are patched and current. For
    example, I just went to my WSUS home page and saw that one PC has not yet
    applied the Patch Tuesday updates (a laptop that's been turned off). If
    something prevents one client PC from updating and you're not aware of it,
    you put your whole network at risk from that one PC.

    I think if you give a close look to the screen on Options -> Automatic
    Approval Options, you'll see what's happening and why. You can
    automatically approve certain classifications for detection and/or
    approval - two separate functions - and you can choose what computer groups
    the settings apply to. So for example, you could approve all updates for
    detection for all groups. In that case, you just see in the WSUS console
    which PCs need those updates. Then you could approve all updates for
    installation, but only for computers in the Test group. That way, Test gets
    everything approved for installation, while those same updates need manual
    approval for the other computer groups.

    There would be a way to configure WSUS to monitor the workstations while
    still using MU. That would be to set everything to approve for detection,
    then just look in WSUS to see what client PCs are detected as needing
    updates. Of course you would then want to configure WSUS not to download
    the updates. This seems like way too much work - manually configuring the
    clients to use MU (or doing that in group policy), then separately
    configuring WSUS to monitor. Personally, I'd just get WSUS working the way
    you want it to.
     
    Dave Nickason [SBS MVP], Aug 11, 2006
    #7
  8. Neil Hoskins

    kj Guest

    Changing the setting is not retroactive to updates that have already been
    synced.

    It only applies going forward.

    Unless you've got a lot invested in your WSUS installation, it might be best
    to remove your current installation and re-install, taking all the defaults.
    While it's doing it's thing, print and read the WSUS deployment guide. It'll
    clear up some of your misconceptions.
     
    kj, Aug 11, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.